What is Zero-day Exploit?

The term  “zero day exploit” is defined as an unknown cyber attack that exposes a window of vulnerability, typically on the same day a weakness is discovered in a computer software.  A zero day exploit can be difficult to detect and called “zero day” due to the number of days until a software vendor discovers the attack. Exploits often go unnoticed and are sold on the black market. Continue reading for a recent discovery on these exploits and what you can do for protection against zero-day.

 

Hafnium Zero-day Exploit

On March 2, 2021, Microsoft Security Response Center released updates related to vulnerabilities affecting on-premises deployments of Microsoft Exchange Server 2013/2016/2019. Microsoft also revealed details around active exploitation of these vulnerabilities using zero-day exploits. The exploited vulnerabilities span several classifications, including server-side request forgery (SSRF), deserialization, and a set of arbitrary file write vulnerabilities; all effecting on-premises Exchange deployments. Each of these security vulnerabilities had an assigned CVSS base score of 7.8 or higher, placing their severity ratings within the High and Critical range.

 

In the exposure of the active exploitation of these vulnerabilities, Microsoft provided attribution details for the activity in real-time. Per their research, the activity is associated with a state-sponsored group they have named “HAFNIUM”. This threat group has reportedly been actively targeting various industries within the United States, ranging from law firms to defense contractors. This threat group has historically been associated with exploitation of vulnerabilities in publicly accessible services, and specific targeting of Microsoft Windows – Office 365 environments. HAFNIUM also uses readily available open-source tools for their attacks, including Covenant, Nishang, PowerCat, and other common offensive security tools.

 

ReliaQuest Threat Advisory Report

The ReliaQuest Threat Management Team is actively collecting, categorizing, and vetting Indicators of Compromise (IoCs) related to this campaign. Known IoCs are being continuously ingested into the GreyMatter Intel platform for use in investigations by the ReliaQuest SOC and ReliaQuest GreyMatter customers. We have proactively engaged with our customers so they understand the risk that this campaign poses, as well as building of automated retroactive hunts for known indicators of compromise for those affected.  The RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Days outlines the learnings of the vulnerability and its exploitation in more detail including IoCs (indicators of compromise) and GreyMatter detection capabilities mapped to MITRE ATT&CK and the Kill Chain.